Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Common Modulus Attack Against Lucas-Based Systems

    Încărcat de

    Ολυμπίδης Ιωάννης
    27 vizualizări3 pagini
    Common Modulus Attack Against Lucas-Based Systems

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PS, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Common Modulus Attack Against Lucas-Based Systems

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PS, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    27 vizualizări3 pagini

    Common Modulus Attack Against Lucas-Based Systems

    Încărcat de

    Ολυμπίδης Ιωάννης
    Common Modulus Attack Against Lucas-Based Systems

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PS, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 3

    UCL Crypto Group Technical Report Series

    Common modulus attack against Lucas-based systems


    Marc Joye
    R EG AR D S

    GROUPE

    http://www.dice.ucl.ac.be/crypto/

    Technical Report CG{1996/10

    Place du Levant, 3 B-1348 Louvain-la-Neuve, Belgium

    Phone: (+32) 10 472541 Fax: (+32) 10 472598

    Common modulus attack against Lucas-based systems


    Marc Joye

    December 21, 1996


    Departement de Mathematique (AGEL), Universite catholique de Louvain Chemin du Cyclotron, 2, B-1348 Louvain-la-Neuve, Belgium E-mail: joye@agel.ucl.ac.be

    In his Ph.D. thesis, Bleinchenbacher 1] shows how to forge a signature from only one other signature. This attack enables to exhibit the common modulus protocol failure 3]. Let (e ; d ) and (e ; d ) be two pairs of encryption/decryption keys and let n be the public modulus. From two ciphertexts of the same message m, c = Ve1 (m; 1) mod n and c = Ve2 (m; 1) mod n, it is possible to recover m as follows. Assuming e relatively prime to e , use the extended Euclidean algorithm to nd integers r and s such that re + se = 1. Then,
    1 1 2 2 1 2 1 2 1 2

    c 4 U (c ; 1)U (c ; 1) Ue2 (c ; 1) mod n: m= 1 V r (c ; 1)Vs (c ; 1) + s 2 2 r Ue1 (c ; 1)


    1 2 2 1 1 2 1 2

    Proof. Since Ue2 (c1 ; 1) = Ue2 e1 d1 (c1; 1) = Ue2 d1 (c1 ; 1)Ue1 (Ve2 d1 (c1 ; 1); 1) = Ue2 d1 (c1; 1)Ue1 (c2; 1) (mod n), we have

    2m = 2Vd1 (c ; 1) = 2Vd1 re1 se2 (c ; 1) = 2Vr d1se2 (c ; 1) = Vr (c ; 1)Vd1se2 (c ; 1) + Ur (c ; 1)Ud1 se2 (c ; 1) = Vr (c ; 1)Vs(c ; 1) + Ur (c ; 1)Ud1 e2 (c ; 1)Us(Vd1 e2 (c ; 1); 1) = Vr (c ; 1)Vs(c ; 1) + (c 4)Ur (c ; 1)Ud1e2 (c ; 1)Us(c ; 1) Ue2 (c ; 1) U (c ; 1) (mod n): = Vr (c ; 1)Vs(c ; 1) + (c 4)Ur (c ; 1) U (c ; 1) s
    1 ( + ) 1 + 1 1 1 1 1 1 2 1 1 1 1 2 2 1 1 1 2 1 2 2 1 1 1

    e1

    t u

    Notice that the attack of Coppersmith et al. 2] can also be used, but it works only for encryption exponents ei up to ' 32 bits.
    CG{1996/10
    c 1996 by UCL Crypto Group For more informations, see

    http://www.dice.ucl.ac.be/crypto/techreports.html

    Common modulus attack against Lucas-based systems

    References
    1] Bleichenbacher, D. Personal communication, Dec. 1996. 2] Coppersmith, D., Franklin, M., Patarin, J., and Reiter, M. Low exponent RSA with related messages. In Advance in Cryptology { Eurocrypt'96 (1996), U. Maurer, Ed., vol. 1070 of Lectures Notes in Computer Science, Springer-Verlag, pp. 1{9. 3] Simmons, G. J. A "weak" privacy protocol using the RSA crypto algorithm. Cryptologia 7, 2 (Apr. 1983).

    CG{1996/10

    S-ar putea să vă placă și